Methods and systems to detect rogue hotspots

This application is a continuation of U.S. patent application Ser. No. 15/809,825, filed Nov. 10, 2017, which is hereby incorporated by reference in its entirety.

Rogue hotspots (e.g., unauthorized access points) masquerade as authorized access points to trick a user and/or user device into connecting to the rogue hotspot by broadcasting network credentials that resemble an authorized access point. A device (e.g., user device, mobile device, network device, etc.) can connect to the rogue access point unaware that it is not connected to an authorized access point. The rogue access point can then obtain sensitive information associated with the device and/or harm the device. Rogue hotspots have presented a challenge and, as yet, no workable solution has been developed for their detection. These and other shortcomings are addressed by the methods and systems disclosed herein.

It is to be understood that both the following general description and the following detailed description provide examples, are explanatory only, and are not restrictive. Provided are methods and systems for detecting rogue hotspots (e.g., unauthorized access points).

“Man-in-the-middle” attacks can involve rogue hotspots. Rogue hotspots are devices that copy identifier information such as service set identifiers (SSIDs) and media access control (MAC) addresses associated with access points to trick devices in to believing they are in communication with the access point when they are actually in communication with the rogue hotspot. When a device, such as a user device, smartphone, laptop, etc., connects to the rogue hotspot, the rogue hotspot can obtain access to data communications associated with the device because the device is now transmitting and receiving data via the rogue access point.

One or more access points can be used to detect the rogue hotspot by determining, via periodic scans of the network, the presence of other access points and creating/storing a list of the access points. The list of the access points can also comprise signal strength information associated with each of the one or more access points. Subsequent scans of the network can be used to look for the characteristics of a rogue hotspot, such as inconsistent or fluctuating signal strength measurements which can indicate that a rogue hotspot has copied the identifier information of an access point (e.g., a now compromised access point). The copied identifier information can be stored as compromised identifier information. Based on the detection of the rogue hotspot, actions can be taken to remove the rogue hotspot from the network, such as causing the compromised access point to disassociate (e.g., disconnect, cease communication, deauthenticate, etc . . . ) with devices (e.g., user devices) in communication with the compromised access point and generating new identifier information for the compromised access point, for example.

Additional advantages will be set forth in part in the description which follows or may be learned by practice. The advantages will be realized and attained by means of the elements and combinations particularly pointed out in the appended claims.

Before the present methods and systems are disclosed and described, it is to be understood that the methods and systems are not limited to specific methods, specific components, or to particular implementations. It is also to be understood that the terminology used herein is for the purpose of describing particular examples only and is not intended to be limiting.

As used in the specification and the appended claims, the singular forms “a,” “an,” and “the” include plural referents unless the context clearly dictates otherwise. Ranges may be expressed herein as from “about” one particular value, and/or to “about” another particular value. When such a range is expressed, another example includes from the one particular value and/or to the other particular value. Similarly, when values are expressed as approximations, by use of the antecedent “about,” it will be understood that the particular value forms another example. It will be further understood that the endpoints of each of the ranges are significant both in relation to the other endpoint, and independently of the other endpoint.

“Optional” or “optionally” means that the subsequently described event or circumstance may or may not occur, and that the description includes examples where said event or circumstance occurs and examples where it does not.

Throughout the description and claims of this specification, the word “comprise” and variations of the word, such as “comprising” and “comprises,” means “including but not limited to,” and is not intended to exclude, for example, other components, integers or steps. “Such as” is not used in a restrictive sense, but for explanatory purposes.

Disclosed are components that can be used to perform the disclosed methods and systems. These and other components are disclosed herein, and it is understood that when combinations, subsets, interactions, groups, etc. of these components are disclosed that while specific reference of each various individual and collective combinations and permutation of these may not be explicitly disclosed, each is specifically contemplated and described herein, for all methods and systems. This applies to all examples of this application including, but not limited to, steps in disclosed methods. If there are a variety of additional steps that can be performed it is understood that each of these additional steps can be performed with any specific example or combination of examples of the disclosed methods.

The present methods and systems may be understood more readily by reference to the following detailed description of preferred examples and other examples included therein and to the Figures and their previous and following description.

As will be appreciated by one skilled in the art, the methods and systems may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware components. Furthermore, the methods and systems may take the form of a computer program product on a computer-readable storage medium having computer-readable program instructions (e.g., computer software) embodied in the storage medium. More particularly, the present methods and systems may take the form of web-implemented computer software. Any suitable computer-readable storage medium may be utilized including hard disks, CD-ROMs, optical storage devices, or magnetic storage devices.

Examples of the methods and systems are described below with reference to block diagrams and flowcharts of methods, systems, apparatuses and computer program products. It will be understood that each block of the block diagrams and flowcharts, and combinations of blocks in the block diagrams and flowcharts, respectively, can be implemented by computer program instructions. These computer program instructions may be loaded onto a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions which execute on the computer or other programmable data processing apparatus create a means for implementing the functions specified in the flowchart block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including computer-readable instructions for implementing the function specified in the flowchart block or blocks. The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process such that the instructions that execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block or blocks.

Accordingly, blocks of the block diagrams and flowcharts support combinations of means for performing the specified functions, combinations of steps for performing the specified functions and program instruction means for performing the specified functions. It will also be understood that each block of the block diagrams and flowcharts, and combinations of blocks in the block diagrams and flowcharts, can be implemented by special purpose hardware-based computer systems that perform the specified functions or steps, or combinations of special purpose hardware and computer instructions.

This detailed description may refer to content items (which may also be referred to as “content,” “content data,” “content information,” “content asset,” “multimedia asset data file,” or simply “data” or “information”). Content items can comprise any information or data that may be licensed to one or more individuals (or other entities, such as business or group). In various examples, content may include electronic representations of video, audio, text and/or graphics, which may include but is not limited to electronic representations of videos, movies, or other multimedia, which may include but is not limited to data files adhering to MPEG2, MPEG, MPEG4 UHD, HDR, 4k, Adobe® Flash® Video (.FLV) format or some other video file format whether such format is presently known or developed in the future. In various examples, the content items described herein may include electronic representations of music, spoken words, or other audio, which may include but is not limited to data files adhering to the MPEG-1 Audio Layer 3 (.MP3) format, Adobe®, CableLabs 1.0, 1.1, 3.0, AVC, HEVC, H.264, Nielsen watermarks, V-chip data and Secondary Audio Programs (SAP). Sound Document (.ASND) format or some other format configured to store electronic audio whether such format is presently known or developed in the future. In some cases, content may include data files adhering to the following formats: Portable Document Format (.PDF), Electronic Publication (.EPUB) format created by the International Digital Publishing Forum (IDPF), JPEG (.JPG) format, Portable Network Graphics (.PNG) format, dynamic ad insertion data (.csv), Adobe® Photoshop® (.PSD) format or some other format for electronically storing text, graphics and/or other information whether such format is presently known or developed in the future. In some examples, content items may include any combination of the above-described examples.

This detailed disclosure may refer to consuming content or to the consumption of content, which may also be referred to as “accessing” content, “providing” content, “viewing” content, “listening” to content, “rendering” content, or “playing” content, among other things. In some cases, the particular term utilized may be dependent on the context in which it is used. For example, consuming video may also be referred to as viewing or playing the video. In another example, consuming audio may also be referred to as listening to or playing the audio.

Note that this detailed disclosure may refer to a given entity performing some action. It should be understood that this language may in some cases mean that a system (e.g., a computer) owned and/or controlled by the given entity is actually performing the action.

The present disclosure relates to method and systems to detect rogue (e.g., unauthorized, illegitimate, untrusted, spoofing, etc.) network hotspots (e.g., access points). Additionally, the method and systems disclosed can detect compromised access points, such as authorized access points that associated with identifier information (e.g., SSID, MAC address, etc.) that has been copied by a rogue hotspot. A network can comprise a plurality of authorized network access points (e.g., access points authorized to be in communication with the network) that enable devices to be in communication with other devices and/or the network via the network. Rogue hotspots can be unauthorized (e.g., illegitimate, untrusted, spoofing, etc.) network access points, controlled by a malicious entity and/or person, masquerading as authorized network access points. The unauthorized access points may not be an actual access point; instead the unauthorized access point can be a wireless device such as a smartphone, laptop, tablet, computer, mobile computing device, and the like, for example. The unauthorized access point can masquerade as an authorized (e.g., legitimate, trusted, etc.) access point to trick a device/user into being in communication with and/or connecting to the unauthorized access point. For example, the unauthorized access point can masquerade as an authorized access point by using identifier information (e.g., a service set identifier (SSID), a media access control (MAC) address, a name, etc.) that is a copy (e.g., an exact copy, a similarity, a resemblance) of identifier information associated with the authorized access point. A device (e.g., user device, mobile device, network device, etc.) attempting to connect to/be in communication with the network via the authorized access point can actually be in communication with the unauthorized access point. The device can be unaware that it is in communication with the unauthorized access point. The device can transmit and/or receive data/information via the unauthorized access point. The unauthorized access point can obtain sensitive information associated with the device (e.g., user information, personal information, credit card information, login credentials, etc.) and/or take other negative actions (e.g., malware installation) that harm the device and/or a user of the device.

One or more authorized (e.g., legitimate, trusted, etc.) access points of the plurality of authorized access points can detect the unauthorized (e.g., illegitimate, untrusted, etc.) access point. The one or more authorized access points can detect the unauthorized access point by determining that a signal strength (e.g., received signal strength indication (RSSI)) associated with another authorized access point does not coincide with a predetermined signal strength for the another authorized access point. The signal strength associated with the another authorized access point not coinciding with the predetermined signal strength with which it is associated can indicate that identifier information (e.g., a SSID, a MAC address, etc.) associated with the another authorized access point has been copied by an unauthorized access point. An authorized access point associated with identifier information that has been copied by an unauthorized access point is a compromised access point.

Each authorized access point of the plurality of authorized access points can keep track of other authorized access points in proximity by periodically probing/scanning the network. During periodic probes/scans of the network, each authorized access point of the plurality of authorized access points can gather information associated with other authorized access points. The information associated with the other authorized access points can include identifier information (e.g., a SSID, a MAC address, etc.) and other information such as baseline (e.g., routine, consistent, etc.) signal strength (e.g., received signal strength indication (RSSI)) information, RSSI measurements, a name, combinations thereof, and the like. Each of the one or more authorized access points can store the identifier information and any other information associated with the other authorized access points. Further, each of the one or more authorized access points can transmit identifier information (e.g., identifier information associated with other authorized access points) or any other information to a computing device, such as a server/cloud-based device for example. The computing device can determine a confidence level associated with a determination by authorized access points that another authorized access point is a compromised access point (e.g., an authorized access point associated with identifier information that has been copied by an unauthorized access point). The computing device can determine the confidence level by comparing and/or reconciling identifier information associated with a particular authorized access point and received from each of the plurality of authorized access points. If the confidence level satisfies a threshold (e.g., a number of authorized access points providing the same and/or similar identifier information), the computing device can determine/verify that the identifier information associated with the particular authorized access point has been copied by an unauthorized access point and that the particular authorized access point is a compromised access point. The computing device can store the identifier information associated with the compromised access point. For example, the computing device can store the identifier information associated with the compromised access point as compromised identifier information. The computing device can store a record of any received identifier information determined to be compromised by an unauthorized access point in a database comprising a plurality of compromised identifier information.

Based on a determination that a compromised access point exists in the network (and/or that an unauthorized access point exists in the network), actions can be taken to neutralize the effect of the unauthorized access point in the network. Information (e.g., a message, code, etc.) can be sent to the compromised access point that causes the compromised access point to deauthenticate/disassociate devices (e.g., user devices, mobile devices, network devices, etc.) in communication and/or associated with the compromised access point. For example, a message (e.g., a deauthentication frame, etc.) can be sent to the compromised access point that causes the compromised access point to deauthenticate/disassociate devices in communication and/or associated with the compromised access point based on a SSID and/or MAC address associated with the compromised access point. Information (e.g., a message, code, etc.) can be sent to the to the compromised access point that causes the compromised access point to change/modify its associated identifier information. For example, a message can be sent to the compromised access point that causes the compromised access point to change a SSID and/or MAC address with which it is associated with to a new SSID and/or MAC address. The unauthorized access point will be unaware of the new identifier information. For example, the unauthorized access point will be unaware of the new SSID and/or MAC address associated with the previously compromised access point that is now (again) an authorized access point based on the new identifier information. Devices that were previously connected to/in communication with the previously compromised access point can reconnect, re-associate with, and/or be in communication with the previously compromised access point that is now (again), based on the new identifier information, an authorized access point.

Disclosed is a system to detect rogue hotspots (e.g., unauthorized access points, illegitimate access points, untrusted access points, etc.). Additionally, the system disclosed can detect compromised access points, such as authorized access points that are associated with identifier information (e.g., SSID, MAC address, etc.) that has been copied by a rogue hotspot.depicts an example environment in which the present methods and systems can operate. The present disclosure is relevant to systems and methods for providing unauthorized access point detection services. One or more network devices can be configured to provide various services to one or more devices, such as wireless communication services and unauthorized access point detection services. The network devices can be configured to recognize an authoritative device for a premises (e.g., local network) and/or a wide area network. As an example, an authoritative device (e.g., authorized access point, network device, computing device, server, cloud-based device, etc.) can be configured to govern or enable connectivity to a network such as the Internet or other remote resources, provide address and/or configuration services such as service set identifier (SSID) configuration, media access control (MAC) address configuration, DHCP, and/or provide naming or service discovery services for a premises, wide area network or a combination thereof. Those skilled in the art will appreciate that present methods may be used in various types of networks and systems that employ both digital and analog equipment. One skilled in the art will appreciate that provided herein is a functional description and that the respective functions can be performed by software, hardware, or a combination of software and hardware.

The network and system can comprise a user device(e.g., a mobile communication device, a computer, a smartphone, a laptop, a tablet, a set top box, a display device, etc.) in communication with a networkvia a network device (e.g., access point, authorized access point, legitimate access point, trusted access point, etc.). The network and system can comprise a plurality of network devices such as network devicesand, for example. The user deviceand/or the network devicesandcan be in communication with a computing device(e.g., a server, a network device, a computer, a cloud-based device, etc.). The computing devicecan be disposed locally or remotely relative to the user deviceand/or network devicesand. The networkcan comprise one or more networks, such as a wide area network (e.g., a content network, service network, provider network, the Internet), a public network, an open network, a provider managed network, a non-user managed network, a provider controlled network, a non-user controlled network, a local network, a private network, a closed network, a user managed network, a user controlled network, a user deployed network, and/or the like. Other forms of communications can be used, such as wired and wireless telecommunication channels, for example.

The user devicecan be a communication device, such as a computing device. For example, the user devicecan comprise a communication elementfor providing an interface to a user to interact with the user device, network devicesand, and/or the computing device. The communication elementcan be any interface for presenting information to the user and receiving a user feedback, such as an application client or a web browser (e.g., Internet Explorer, Mozilla Firefox, Google Chrome, Safari, or the like). Other software, hardware, and/or interfaces can be used to provide communication between the user and one or more of the user device, the network devicesand, and/or the computing device. As an example, the communication elementcan request or query various files from a local source and/or a remote source. As an example, the communication elementcan receive various files from a local source and/or a remote source. As a further example, the communication elementcan transmit data to and/or receive data from a local or remote device, such as the computing device.

The user devicecan be associated with a user identifier or device identifier. As an example, the device identifiercan be any identifier, token, character, string, or the like, for differentiating one user and/or user device (e.g., user device) from another user or user device. The device identifiercan identify a user or user device as belonging to a particular class of users or user devices. As a further example, the device identifiercan comprise information relating to the user device, such as a manufacturer, a model or type of device, a service provider associated with the user device, a state of the user device, a locator, and/or a label or classifier. Other information can be represented by the device identifier.

The device identifiercan comprise an address elementand/or a service element. The address elementcan be an internet protocol address, a MAC address, a network address, an Internet address, or the like. As an example, the address elementcan be relied upon to establish a communication session between the user deviceand the computing deviceor other devices and/or networks. As a further example, the address elementcan be used as an identifier or locator of the user device. The address elementcan be persistent for a particular network and/or location.

The service elementcan comprise an identification of a service and/or service provider associated with the user deviceand/or with the class of user device. As an example, the service elementcan comprise information relating to or provided by a communication service provider (e.g., Internet service provider) that is providing or enabling communication services to the user device. As a further example, the service elementcan comprise information relating to a preferred service provider for one or more particular services relating to the user device. The address elementcan be used to identify or retrieve the service element, or vice versa. As a further example, one or more of the address elementand the service elementcan be stored remotely from the user deviceand retrieved by one or more devices, such as the user deviceand the computing device. Other information can be represented by the service element.

The user devicecan store identifier information (e.g., identifier information, identifier information). The identifier information can comprise information such as SSIDs, MAC addresses, passwords, security settings, combinations thereof, and the like associated with one or more networks and/or network devices (e.g., access points, authorized access points, network devicesand) to which the user deviceis authorized to connect. Each network device can be associated with identifier information. For example, the network devicecan be associated with identifier informationand the network devicecan be associated with identifier information. The identifier information (e.g., identifier information, identifier information) can comprise network credentials (e.g., SSID, MAC address, etc.) for accessing the network devicesand

The identifier information (e.g., identifier information, identifier information) can comprise a unique identifier for facilitating communications with devices such as user device, for example. Further, the network devicesandcan be in communication with a network, such as the network. For example, the network devicesandcan facilitate the connection of a device, such as the user device, to the network. As such, the network devicesandcan be configured as network gateways and/or access points. The network devicesandcan be configured to allow one or more wireless devices to connect to a wired and/or wireless network using Wi-Fi, Bluetooth or similar standard. The network devicesandcan be multi-band wireless network devices. The identifier informationcan comprise service set identifier (SSID) information. The SSID information can comprise basic service set identifier (BSSID) information, extended service set identifier (ESSID) information, combinations thereof, and the like. The network devicesandcan be configured with a first service set identifier (SSID) to function as a local network for a particular user or users (e.g., associated with a user network or private network). The network devicesandcan be configured with a second service set identifier (SSID) (e.g., associated with a public/community network, hidden network, or limited services (e.g., provisioning) network) to function as a secondary network or redundant network for connected communication devices. The network devicesandcan be accessed via identifier informationand, respectively. Further, the identifier information (e.g., identifier information, identifier information) can comprise information associated with the network devicesandsuch as the SSID (e.g., SSID, BSSID, ESSID, first SSID, second SSID, etc.) information, password information, security settings, communication signal information, combinations thereof, and the like. Some or all of the identifier informationcan be stored in an encrypted or hashed form.

The network devicesandcan be in communication with the computing deviceto provide the computing devicewith periodic identifier information (e.g., identifier information associated with authorized access points, identifier information associated with compromised access points, etc.) and/or any other information determined based on a periodic probe/scan,of the network. The network devicesandcan transmit identifier information (e.g., identifier information associated with authorized access points, identifier information associated with compromised access points, etc.) and/or any other information determined during a periodic probe/scan,to the computing device. The computing devicecan be a network device such as server/cloud-based device in communication with devices such as the network devicesand, the user device, and any other device for providing services such as unauthorized access point (e.g., rogue hotspot, rogue device) detection services. The computing devicecan allow the network devicesand, the user device, and any other device to interact with remote resources, such as data, devices, and files. For example, the computing devicecan be configured as central location (e.g., a headend, or processing facility), which can receive content (e.g., RSSI information, identifier information, data, input programming) from multiple sources. The computing devicecan combine the content (e.g., the master list) from the various sources (e.g., network devicesand) and can distribute the content to user (e.g., subscriber) locations, and or any other location via a distribution system.

The computing devicecan manage the communication between the network devicesand, the user device, any other device, and a databasefor sending and receiving data therebetween. For example, the network devicesand, the user device, and any other device can request and/or retrieve a file from the database. The databasecan store information relating to the network devicesand, the user device, and any other device (such as compromised identifier information, the identifier information, the address element, and/or the service element), information related to the network device, the user device, and any other device (such as RSSI information, identifier information associated with one or more network devices, master list, etc.).

The network devicesandcan periodically transmit and/or broadcast at least a portion of the identifier information(e.g., MAC address, SSID, signal strength information, etc.) to other devices, such as another network device (e.g., network devicesand), the computing device, combinations thereof, and the like. Additionally, the network devicesandcan periodically transmit and/or broadcast additional information to the other devices. For example, the network devicesandcan periodically transmit and/or broadcast a beacon comprising the identifier informationand/or additional information. The beacon comprising the identifier informationcan be associated with a signal strength (e.g., a signal strength value, RSSI, etc.) associated with the network devicesand. For example, the beacon can inform other devices, such as another network device (e.g., network devicesand), the computing device, combinations thereof, and the like, that a signal strength associated with the network devicesandwas and/or is provisioned at a certain value (e.g., decibel value, amplitude value, power value, etc.). The provisioned value of a signal strength associated with a network device (e.g., network devicesand) can be a baseline (e.g., consistent, regular, routine, etc.) signal strength associated with a network device (e.g., network devicesand). Additionally, the beacon can also comprise information to facilitate a connection between the user deviceand the network devicesandsuch as an SSID. The beacon can be transmitted over one or more channels and/or frequency bands. The network devicesandcan transmit and/or receive multiple beacons that can comprise information such as all or at least a portion of the identifier information, additional information, and the like.

The network devicesandcan determine a signal strength associated with another network device (e.g., network devicesand) based on measuring a value (e.g., decibel value, amplitude value, power value, integrity value, etc.) associated with the received beacon(s). For example, network devicesandcan receive, during a periodic probe/scan,, a beacon from another network device (e.g., network devicesand). The beacon can comprise an identifier (e.g., identifier information) associated with the other network device (e.g., network devicesand). The network devicesandcan determine that the beacon is associated with the other network device (e.g., network devicesand) based on the identifier. The beacon can comprise a signal strength indicator (e.g., RSSI). The network devicesandcan determine a signal strength associated with the other network device (e.g., network devicesand) based on a received signal strength indicator (RSSI) measurements associated with the other network device (e.g., network devicesand). The network devicesandcan determine a baseline signal strength associated with the other network device (e.g., network devicesand) based on/by measuring a received signal strength indicator (RSSI) associated with the other network device (e.g., network devicesand). For example, during a probe/scan,(e.g., an initial probe/scan) of the networkto determine network devices in the network(e.g., network device discovery, access point discovery, etc.) an initial list of network devices (e.g., network device, access points, etc.) in communication with the networkcan be is generated by the network devicesand. A received signal strength indication (RSSI) for each of the network devices (e.g., network devicesand, access points, etc.) on/in the initial list can be measured and stored as a baseline signal strength associated with each of the network devices (e.g., network devicesand). The initial list and/or any other related list (e.g., a list created based on a periodic probe/scan,of the network) can be stored by the network devicesandor by another device. For example, the network devicesandcan transmit the initial list (or any other related list) to the computing device. The computing devicecan receive initial lists (or any other related lists) from a plurality of network devices (e.g., network devicesand) and generate/store/update a master listcomprising the received lists (or any other related lists). The list (e.g., initial list or any other related list) can be updated with new RSSI measurements associated with network devices (e.g., network devicesand, access points, etc.) based on periodic probes/scans,of the network. The initial list, the master list, and/or any related list can comprise information (e.g., identifier information, identifier information, discovery information, provisioning information, etc.) associated with the RSSI measurements/information determined from each of the network devicesand

The network devicesandcan detect a device, such as rogue device(e.g., rogue hotspot, unauthorized access point, etc.), that is not authorized to provide communication to and/or be in communication with the network. For example, the rogue devicecan be a device such as a smartphone, laptop, tablet, computer, mobile computing device, and the like, configured to mimic a network device (e.g., network devicesand, authorized access point, etc.). The rogue devicecan mimic a network device (e.g., network device, authorized access point, etc.) by copying and broadcasting/transmitting a beacon comprising identifier information (e.g., identifier information) associated with the network device (e.g., network device). For example, the rogue devicecan mimic the network deviceby copying identifier informationwhich comprises information such as a MAC address and/or SSID associated with the network deviceand storing the identifier information. One or more devices (e.g., user device) can be in communicationwith the rogue devicebased on the identifier information(e.g., copied identifier information) associated with the network device. The one or more devices (e.g., user device) can be unaware that they are in communication with the rogue deviceinstead of a network device. The network devicecan determine/detect that the rogue deviceis present in the networkbased on one or more received signal strength indicators (RSSIs) associated with the network devicedetermined during a periodic probe/scan

The network devicesandcan determine/detect that the rogue deviceis present in the networkbased on one or more received signal strength indicators (RSSIs) received during a periodic probe/scanandof the network. The network devicesandcan periodically probe/scanandthe networkfor a time window (e.g., 20 microseconds). The network devicesandcan periodically probe/scanandthe networkfor a time widow/time period, such as of 20 microseconds, and determine information associated with the networkand or devices in communication with the network(e.g., network devicesand, rogue device, etc.). The network devicesandcan determine the information associated with the networkand or devices in communication with the networkbased on information received during the time window. For example, the network devicesandcan periodically probe/scanandthe networkfor a time window of 20 microseconds and determine information associated with the networkand or devices in communication with the networksuch as a value of a received signal strength indicator (RSSI).

The network devicesandcan determine, based on the RSSI value, if a device (e.g., network devicesand) associated with the RSSI and/or identifier information is a device (e.g., network devicesand) that should be associated with the RSSI and/or identifier information or a rogue device (e.g., rogue hotspot, unauthorized access point, etc.), such as rogue device. For example, the network devicesandcan determine from the periodic probe/scanand(e.g., an initial probing/scanning) of the networkthat an RSSI associated with another network device (e.g., network devicesand) is routinely and/or consistently 60 decibels (dB). A list (e.g., initial list) of network devices (e.g., network devicesand, authorized access points, etc.) can comprise information (e.g., discovery information, provisioning information, etc.) detailing that the RSSI associated with the other network device (e.g., network devicesand) is routinely and/or consistently 60 dB.

The network devicesandcan determine that an RSSI associated with the other network device (e.g., network devicesand) varies within a threshold from the information detailing that the RSSI associated with the other network device (e.g., network devicesand) is routinely and/or consistently 60 dB (e.g., a baseline RSSI of 60 dB). For example, during a periodic probe/scan (e.g., periodic probe/scanand) of the network, the network devices (e.g., network devicesand) can take/determine multiple RSSI measurements associated with the other network device (e.g., network devicesand). The network device (e.g., network devicesand) can determine that the multiple RSSI measurements associated with the other network device (e.g., network devicesand) taken during the time window are of a certain value such as 59 dB, 58 dB, etc. The network devices (e.g., network devicesand) can determine that the multiple RSSI measurements do not exceed a threshold variance from 60 dB. The threshold variance can be, for example, +/−1 dB, 2 dB, 3 dB, 4 dB, 5 dB, 6 dB, 7 dB, 8 dB, 9 dB, 10 dB, 11 dB, 12 dB, 13 dB, 14 dB, 15 dB, 16 dB, 17 dB, 18 dB, 19 dB, 20 dB, 21 dB, 22 dB, 23 dB, 24 dB, 25 dB, and the like. One of skill in the art will appreciate that other threshold variances can be used and can vary depending on what measurement is used.

The number of multiple RSSI measurements taken/determined can be manually provisioned. For example, the network devicesandcan be manually configured to take five RSSI measurements, ten RSSI measurements, twenty RSSI measurements, or any number of RSSI measurements during the time window. Additionally, the number of RSSI measurements taken/determined can be dynamically determined by the network devicesand. For example, the network devicesandcan automatically determine any number of RSSI measurements to take/determine during the time window. A threshold variance value can be set at any value deviation from baseline signal strength, for example, +/−1 dB, 2 dB, 3 dB, 4 dB, 5 dB, 6 dB, 7 dB, 8 dB, 9 dB, 10 dB, 11 dB, 12 dB, 13 dB, 14 dB, 15 dB, 16 dB, 17 dB, 18 dB, 19 dB, 20 dB, 21 dB, 22 dB, 23 dB, 24 dB, 25 dB, and the like. One of skill in the art will appreciate that other threshold variances can be used and can vary depending on what measurement is used. Based on the multiple RSSI measurements not exceeding the threshold variance, the network devicesandcan determine that the other network device (e.g., network devicesand) is not compromised. The other network device is not compromised if the identifier information associated with the other network device (e.g., network devicesand) has not been copied (e.g., identifier information) by the rogue device. The network devicesandcan determine, based on the other network device not being compromised, that the rogue deviceis not present in the network. The other network device is compromised if the identifier information associated with the other network device (e.g., network devicesand) has been copied (e.g., identifier information) by the rogue device.

The rogue devicecan be associated with an RSSI that is inconsistent in value, fluctuates, and/or exhibits erratic behavior during the time window. For example, the rogue devicecan be associated with an RSSI that changes in value from 60 dB to 30 dB within a time widow associated with a periodic probe/scanand. The changes in value from 60 dB to 30 dB within the time widow can exceed a threshold variance from 60 dB. A threshold variance value can be set at any value deviation from baseline signal strength, The threshold variance can be, for example, +/−1 dB, 2 dB, 3 dB, 4 dB, 5 dB, 6 dB, 7 dB, 8 dB, 9 dB, 10 dB, 11 dB, 12 dB, 13 dB, 14 dB, 15 dB, 16 dB, 17 dB, 18 dB, 19 dB, 20 dB, 21 dB, 22 dB, 23 dB, 24 dB, 25 dB, and the like from the baseline signal strength. One of skill in the art will appreciate that other threshold variances can be used and can vary depending on what measurement is used. The network devicesandcan determine, based on the RSSI associated with the rogue devicenot coinciding/reconciling with the information (e.g., discovery information, provisioning information, etc.) associated with the other network device (e.g., network devicesand) stored in an initial list (or any other list), that the identifier information associated with the other network device (e.g., network device) has been copied (e.g., identifier information) by the rogue device. The network devicesandcan determine, based on RSSI measurements exceeding the threshold variance, that the other network device is compromised. The other network device is compromised if the identifier information associated with the other network device (e.g., network devices) has been copied (e.g., identifier information) by the rogue device.

The network devicesandcan store the identifier information associated with the other network device (e.g., network devicesand) as compromised identifier information. The network devicesandcan transmit the identifier information associated with the other network device (e.g., network devicesand) to another device, such as the computing device, for example. The computing deviceand/or any other device can store (e.g., in database) the identifier information associated with the other network deviceas compromised identifier information. The network devicesandcan transmit the compromised identifier information (e.g., identifier information) and/or any other information determined from a periodic probe/scanandto the computing device. The network devicesandcan transmit the compromised identifier information and/or any other information determined from a periodic probe/scan to the computing deviceperiodically (e.g., every hour, every day, etc.). The network devicesandcan transmit the compromised identifier information and/or any other information determined from a periodic probe/scanandto the computing deviceto update the master list.

The computing devicecan receive information (e.g., the compromised identifier information, identifier information) from the network devicesand, the user device, and any other device. The computing devicecan retrieve information (e.g., the identifier information, compromised identifier information, etc.) from and/or store information in the database(e.g., the master list), such as RSSI information determined by network devices (e.g., network devicesand) during a periodic probe/scan (e.g., periodic probe/scanand), identifier information (e.g., identifier information), combinations thereof, and the like. Any information can be stored in and retrieved from the database. The databasecan be disposed remotely from the computing deviceand accessed via direct or indirect connection. The databasecan be integrated with the computing deviceor some other device (e.g., network devicesand) or system. The computing device may be configured as other devices, such as a user device (e.g., user device) or a network device (e.g., network devicesand), for example.

The computing devicecan receive the compromised identifier information (e.g., identifier information) from the network devices (e.g., network device). The computing devicecan store the compromised identifier information in a database (e.g., database) and/or generate/update a list (e.g., master list) comprising identifier information and/or compromised identifier information associated with a plurality of network devices (e.g., network devicesand).

The computing devicecan determine that a compromised network device (e.g., network device, compromised access point, etc.), and/or that a rogue device (e.g., rogue device, rogue hotspot, unauthorized access point, etc.), exists in the network. The computing devicecan determine that a compromised network device and/or a rogue device exists in the networkbased on information, such as signal strength information (e.g., measured signal strength information, RSSI information, etc . . . ) received from a plurality of authorized network devices (e.g., network devicesand, authorized access points, etc . . . ). For example, each authorized network device of the plurality of authorized network devices can transmit/provide signal strength information determined during a periodic probe/scan (e.g., periodic probe/scanand) of the networkto the computing device. The computing devicecan analyze the signal strength information received from each authorized network device of the plurality of authorized network devices to determine that a compromised network device and/or a rogue device exists in the network.

The computing devicecan summate (e.g., average) signal strength information associated with a particular authorized network device that is received from multiple authorized network devices. The computing devicecan determine that the signal strength information received from multiple authorized network devices is associated with the particular authorized network device based on network identifier information associated with the particular authorized network device received with the signal strength information from the multiple authorized network devices. The computing devicecan determine a baseline signal strength associated with the particular authorized network device by summating (e.g., averaging) the signal strength information received from the multiple authorized network devices. For example, a first authorized network device can transmit signal strength information associated with the particular authorized network device that informs the computing devicethat the signal strength associated with the particular authorized network device is 70 dB, and a second authorized network device can transmit signal strength information associated with the particular authorized network device that informs the computing devicethat the signal strength associated with the particular authorized network device is 68 dB. The computing devicecan summate or average the signal strength information received from the first authorized network device and the signal strength information received from the second authorized network device to determine that a baseline signal strength associated with the particular authorized network device is 69 dB (e.g., an average of 70 dB and 68 dB).

The computing devicecan determine whether the particular authorized network device is compromised based on a difference between the baseline signal strength associated with the particular authorized network device and subsequent signal strength measurements associated with the particular authorized network device received from the multiple authorized network devices (e.g., the first authorized network device, and the second authorized network device). If the difference between the baseline signal strength associated with the particular authorized network device and a summation or an average of the subsequent signal strength measurements associated with the particular authorized network device received from the multiple authorized network devices does not exceed a threshold variance from 69 dB, then the computing devicecan determine that the particular authorized network device is not compromised. If the difference between the baseline signal strength associated with the particular authorized network device and a summation or an average of the subsequent signal strength measurements associated with the particular authorized network device received from the multiple authorized network devices exceed a threshold variance from 69 dB, then the computing devicecan determine that the particular authorized network device is compromised. The threshold variance can be, for example, +/−1 dB, 2 dB, 3 dB, 4 dB, 5 dB, 6 dB, 7 dB, 8 dB, 9 dB, 10 dB, 11 dB, 12 dB, 13 dB, 14 dB, 15 dB, 16 dB, 17 dB, 18 dB, 19 dB, 20 dB, 21 dB, 22 dB, 23 dB, 24 dB, 25 dB, and the like. One of skill in the art will appreciate that other threshold variances can be used and can vary depending on what measurement is used.

Additionally, the computing devicecan determine that a compromised network device (e.g., network device, compromised access point, etc.) and/or that a rogue device (e.g., rogue device, rogue hotspot, unauthorized access point, etc.) exist in the networkbased on information, such as signal strength information (e.g., measured signal strength information, RSSI information, etc . . . ) received from a single authorized network device (e.g., network device, etc . . . ). For example, the authorized network device can transmit/provide signal strength information determined during a periodic probe/scan (e.g., periodic probe/scan) of the networkto the computing device. The computing devicecan analyze the signal strength information received from the authorized network device to determine that a compromised network device and/or a rogue device exist in the network.

The computing devicecan receive signal strength information associated with a particular authorized network device from the authorized network device. The computing devicecan determine that the signal strength information received from the authorized network device is associated with the particular authorized network device based on network identifier information associated with the particular authorized network device received with the signal strength information from the authorized network device. The computing devicecan store the signal strength information associated with a particular authorized network device received from the authorized network device as a baseline signal strength associated with the particular authorized network device.

The computing devicecan determine whether the particular authorized network device is compromised based on a difference between the baseline signal strength associated with the particular authorized network device and subsequent signal strength measurements associated with the particular authorized network device received from the authorized network device. If the difference between the baseline signal strength associated with the particular authorized network device and subsequent signal strength measurements associated with the particular authorized network received from the authorized network device does not exceed a threshold variance, then the computing devicecan determine that the particular authorized network device is not compromised. If the difference between the baseline signal strength associated with the particular authorized network device and subsequent signal strength measurements associated with the particular authorized network received from the authorized network device exceeds a threshold variance, then the computing devicecan determine that the particular authorized network device is compromised. The threshold variance can be, for example, +/−1 dB, 2 dB, 3 dB, 4 dB, 5 dB, 6 dB, 7 dB, 8 dB, 9 dB, 10 dB, 11 dB, 12 dB, 13 dB, 14 dB, 15 dB, 16 dB, 17 dB, 18 dB, 19 dB, 20 dB, 21 dB, 22 dB, 23 dB, 24 dB, 25 dB, and the like. One of skill in the art will appreciate that other threshold variances can be used and can vary depending on what measurement is used.